Update elfinder to 2.1.61.

composer.json

@@ -33,7 +33,7 @@
 		"rob006/yii-tinymce": "^1.0"
 	},
 	"replace": {
-		"studio-42/elfinder": "2.1.59"
+		"studio-42/elfinder": "2.1.61"
 	},
 	"autoload": {
 		"classmap": [

vendor/Changelog

@@ -1,3 +1,21 @@
+2022-03-14  Naoki Sawada  <[email protected]>
+	* elFinder (2.1.61):
+		- [security] Fixed #3458 filename bypass leading to RCE on Windows server
+		- [security:CVE-2022-26960] Fixed a path traversal issue
+		- [i18n] Updated ru and fr
+		- [js] Updated CDNs of external libs
+		- And some minor bug fixes
+
+
+2021-11-12  Naoki Sawada  <[email protected]>
+	* elFinder (2.1.60):
+		- [VD:OneDrive] show error on _od_obtainAccessToken()
+		- [ui:cwd] make easily able to mapping mimetype to the kind (#3375) 
+		- [cmd:rm] Fixed an issue that sometime ignore the delete button and into the trash
+		- [VD:LocalFileSystem] Fixed #3429 RCE on Windows server
+		- [js:core,options] Fixed #3401 add an option workerBaseUrl
+
+
 2021-06-13  Naoki Sawada  <[email protected]>
 	* elFinder (2.1.59):
 		- [Security:php] Fixed multiple vulnerabilities leading to RCE
@@ -32,7 +50,7 @@
 	* elFinder (2.1.57):
 		- [js] Fixed #3148 to support jQuery 3.5.0 update
 		- [php:core] Fixed #3154 volume that require online access cannot be specified
-		- [VD:abstract] Fixed #3161 fix option data of cwd results on after change files
+		- [VD:abstract] Fixed #3161 Fixed option data of cwd results on after change files
 		- [VD:abstract] Fixed #3167 added "none" (no image library check) to `imgLib`
 		- [cmd:resize] Fixed #3158 to make able to change quality without changing dimensions
 		- And some minor bug fixes
@@ -290,8 +308,8 @@
 		- [css:dialog] rel #2724 correction style of `td.elfinder-info-hash`
 		- [ui:navdock] Fixed #2747 theme support of CSS fine tuning part
 		- [ui:navdock] rel #2747 correction of the ui size adjustment
-		- [css:commands] Fixed #2748 fix spinner position in rtl and unify `elfinder-info-spinner` to `elfinder-spinner`
-		- [css:command] rel #2748 typo fix of "spiner" to "spinner"
+		- [css:commands] Fixed #2748 Fixed spinner position in rtl and unify `elfinder-info-spinner` to `elfinder-spinner`
+		- [css:command] rel #2748 typo Fixed of "spiner" to "spinner"
 		- [cmd:quicklook] Fixed #2742 ViewerJS integration for PDF,ODT,ODS,ODP
 		- [ui:toolbar] Fixed #2751 correction rtl-toolbar (float icons in group)
 		- [css:toolbar] rel #2751 mirroring some icons for rtl
@@ -363,7 +381,7 @@
 		- [VD:abstract] Fixed #2564 bugfix of MIME-Type detection
 		- [cmd:quicklook,VD:abstract] Fixed #2575 add CAD-Files and 3D-Models online viewer on sharecad.org
 		- [cmd:edit] Fixed #2570 add online-convert.com integration
-		- [cmd:edit] Fixed #2580 fix detectation of current enabled editors
+		- [cmd:edit] Fixed #2580 Fixed detectation of current enabled editors
 		- [cmd:help] Add a tab "Integrations" to listing external services
 		- [cmd:edit:images] Fixed #2568 open one format save to another
 		- [js:core] Fixed #2582 sync size of list view column headers on browser resize
@@ -544,15 +562,15 @@
 		- [js:core] Fixed #2238 always same filename on upload with some iOS devices
 		- [js:core] Fixed #2240 correspond to parallel request in "Cancel" in notify dialog
 		- [VD:FTP] Fixed #2243 problem of symlink handling
-		- [ui:cwd] bug fix of contextmenu on the "Old School"
+		- [ui:cwd] bug Fixed of contextmenu on the "Old School"
 		- [cmd:quicklook] Fixed #2249 close-able docked preview window
 		- [api] cmd `size` can return size infomation of each targets as `sizes`
 		- [api] accept HTTP header "X-elFinderReqid"
 		- [cmd:quicklook:plain text] show all contents with click an element `charsLeft`
 		- [VD:abstract] Fixed #2253 `elFinderVolumeDriver::getWorkFile()` dose not work
 		- [cmd:resize] Fixed #2251 add an option `commandsOptions.resize.getDimThreshold` for rapid starting
 		- [VD:abstract] Fixed #2257 save as progressive JPEG on image editing
-		- [VD:abstract] bug fix of detecting of `tmpLinkPath` and `tmpLinkUrl`
+		- [VD:abstract] bug Fixed of detecting of `tmpLinkPath` and `tmpLinkUrl`
 		- [cmd:resize] Fixed #2265 show the jpeg image save file size
 		- [ui:dialog] Fixed #2264 add an option `uiOptions.dualog.focusOnMouseOver`
 		- [cmd:resize] make rotatable directly with mobile devices
@@ -1155,7 +1173,7 @@
 		- Multi-line filename editing on icon view
 		- Auto expands filename editing on list view
 		- Fixed #1124, Uploading problem exactly 20MiB/30MiB/40MiB...
-		- Marged #1125, Fix file permissions for MySQL LOAD_FILE command
+		- Marged #1125, Fixed file permissions for MySQL LOAD_FILE command
 		- Fixed #1127, Supported full path including the drive letter of the Windows server
 		- Marged #1131, #1132, Complete Romanian(ro) translation
 		- Fixed symbolic link file stats `mtime`, `size`

vendor/README.md

@@ -1,7 +1,7 @@
 elFinder
 ========
 
-**WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.58 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.**
+**WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.60 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.**
 
 [![elFinder file manager for the Web](https://studio-42.github.io/elFinder/images/elFinderScr.png "elFinder file manager for the Web")](https://studio-42.github.io/elFinder/)
 
@@ -16,6 +16,7 @@ used in Mac OS X operating system.
 [![CDNJS version](https://img.shields.io/cdnjs/v/elfinder.svg)](https://cdnjs.com/libraries/elfinder)
 [![Donate Paypal(nao-pon)](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FF5FKRSMKYDVA)
 [![Donate Bitcoin(nao-pon)](https://img.shields.io/badge/Donate-Bitcoin-orange.svg)](https://studio-42.github.io/elFinder/tools/donate-bitcoin/)
+[![Buy me a coffee](https://img.shields.io/static/v1.svg?label=Buy%20me%20a%20coffee&message=🥨&color=black&logo=buy%20me%20a%20coffee&logoColor=white&labelColor=6f4e37)](https://www.buymeacoffee.com/naopon)
 
 Contents
 --------
@@ -124,7 +125,7 @@ Installation
 Downloads
 ------------
 **Stable releases** ([Changelog](https://github.com/Studio-42/elFinder/blob/master/Changelog))
- + [elFinder 2.1.59](https://github.com/Studio-42/elFinder/archive/2.1.59.zip)
+ + [elFinder 2.1.61](https://github.com/Studio-42/elFinder/archive/2.1.61.zip)
  + [elFinder 2.0.9](https://github.com/Studio-42/elFinder/archive/2.0.9.zip) (deprecated)
 
 **Nightly builds**
@@ -198,7 +199,7 @@ Support
 Authors
 -------
 
- * Current main developer: Naoki Sawada <[email protected]>
+ * Current main developer: Naoki Sawada <[email protected]> [![Buy me a coffee](https://img.shields.io/static/v1.svg?label=Buy%20me%20a%20coffee&message=🥨&color=black&logo=buy%20me%20a%20coffee&logoColor=white&labelColor=6f4e37)](https://www.buymeacoffee.com/naopon)
  * Chief developer: Dmitry "dio" Levashov <[email protected]>
  * Maintainer: Troex Nevelin <[email protected]>
  * Developers: Alexey Sukhotin, Naoki Sawada <[email protected]>

vendor/assets/css/elfinder.full.css

@@ -1,9 +1,9 @@
 /*!
  * elFinder - file manager for web
- * Version 2.1.59 (2021-06-14)
+ * Version 2.1.61 (2.1-src Nightly: 1733024) (2022-03-15)
  * http://elfinder.org
  * 
- * Copyright 2009-2021, Studio 42
+ * Copyright 2009-2022, Studio 42
  * Licensed under a 3-clauses BSD license
  */
 

vendor/assets/js/elfinder.full.js

@@ -1,9 +1,9 @@
 /*!
  * elFinder - file manager for web
- * Version 2.1.59 (2021-06-14)
+ * Version 2.1.61 (2.1-src Nightly: 1733024) (2022-03-15)
  * http://elfinder.org
  * 
- * Copyright 2009-2021, Studio 42
+ * Copyright 2009-2022, Studio 42
  * Licensed under a 3-clauses BSD license
  */
 (function(root, factory) {
@@ -844,6 +844,14 @@ var elFinder = function(elm, opts, bootCallback) {
 	 */
 	this.i18nBaseUrl = '';
 
+	/**
+	 * Base URL of worker js files
+	 * baseUrl + "js/worker/" when empty value
+	 * 
+	 * @type String
+	 */
+	this.workerBaseUrl = '';
+
 	/**
 	 * Is elFinder CSS loaded
 	 * 
@@ -1163,6 +1171,7 @@ var elFinder = function(elm, opts, bootCallback) {
 	})();
 
 	this.i18nBaseUrl = (this.options.i18nBaseUrl || this.baseUrl + 'js/i18n').replace(/\/$/, '') + '/';
+	this.workerBaseUrl = (this.options.workerBaseUrl || this.baseUrl + 'js/worker').replace(/\/$/, '') + '/';
 
 	this.options.maxErrorDialogs = Math.max(1, parseInt(this.options.maxErrorDialogs || 5));
 
@@ -8968,6 +8977,11 @@ elFinder.prototype = {
 			} else {
 				kind = this.kinds[mime];
 			}
+		} else if (this.mimeTypes[mime]) {
+			kind = this.mimeTypes[mime].toUpperCase();
+			if (!this.messages['kind'+kind]) {
+				kind = null;
+			}
 		}
 		if (! kind) {
 			if (mime.indexOf('text') === 0) {
@@ -10199,7 +10213,7 @@ elFinder.prototype = {
 	 * @return     {<type>}  The worker url.
 	 */
 	getWorkerUrl : function(filename) {
-		return this.convAbsUrl(this.baseUrl + 'js/worker/' + filename);
+		return this.convAbsUrl(this.workerBaseUrl + filename);
 	},
 
 	/**
@@ -10716,7 +10730,7 @@ if (!window.cancelAnimationFrame) {
  *
  * @type String
  **/
-elFinder.prototype.version = '2.1.59';
+elFinder.prototype.version = '2.1.61 (2.1-src Nightly: 1733024)';
 
 
 
@@ -11202,27 +11216,27 @@ elFinder.prototype._options = {
 	 */
 	cdns : {
 		// for editor etc.
-		ace        : 'https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.12',
-		codemirror : 'https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.61.1',
-		ckeditor   : 'https://cdnjs.cloudflare.com/ajax/libs/ckeditor/4.16.1',
-		ckeditor5  : 'https://cdn.ckeditor.com/ckeditor5/28.0.0',
-		tinymce    : 'https://cdnjs.cloudflare.com/ajax/libs/tinymce/5.7.1',
+		ace        : 'https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.14',
+		codemirror : 'https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.2',
+		ckeditor   : 'https://cdnjs.cloudflare.com/ajax/libs/ckeditor/4.17.2',
+		ckeditor5  : 'https://cdn.ckeditor.com/ckeditor5/33.0.0',
+		tinymce    : 'https://cdnjs.cloudflare.com/ajax/libs/tinymce/6.0.0',
 		simplemde  : 'https://cdnjs.cloudflare.com/ajax/libs/simplemde/1.11.2',
 		fabric     : 'https://cdnjs.cloudflare.com/ajax/libs/fabric.js/4.2.0',
 		fabric16   : 'https://cdnjs.cloudflare.com/ajax/libs/fabric.js/1.6.7',
 		tui        : 'https://uicdn.toast.com',
 		// for quicklook etc.
-		hls        : 'https://cdnjs.cloudflare.com/ajax/libs/hls.js/1.0.2/hls.min.js',
-		dash       : 'https://cdnjs.cloudflare.com/ajax/libs/dashjs/3.2.2/dash.all.min.js',
-		flv        : 'https://cdnjs.cloudflare.com/ajax/libs/flv.js/1.5.0/flv.min.js',
-		videojs    : 'https://cdnjs.cloudflare.com/ajax/libs/video.js/7.12.1',
+		hls        : 'https://cdnjs.cloudflare.com/ajax/libs/hls.js/1.1.5/hls.min.js',
+		dash       : 'https://cdnjs.cloudflare.com/ajax/libs/dashjs/4.3.0/dash.all.min.js',
+		flv        : 'https://cdnjs.cloudflare.com/ajax/libs/flv.js/1.6.2/flv.min.js',
+		videojs    : 'https://cdnjs.cloudflare.com/ajax/libs/video.js/7.18.1',
 		prettify   : 'https://cdn.jsdelivr.net/gh/google/code-prettify@f1c3473acd1e8ea8c8c1a60c56e89f5cdd06f915/loader/run_prettify.js',
-		psd        : 'https://cdnjs.cloudflare.com/ajax/libs/psd.js/3.2.0/psd.min.js',
+		psd        : 'https://cdnjs.cloudflare.com/ajax/libs/psd.js/3.4.0/psd.min.js',
 		rar        : 'https://cdn.jsdelivr.net/gh/nao-pon/rar.js@6cef13ec66dd67992fc7f3ea22f132d770ebaf8b/rar.min.js',
 		zlibUnzip  : 'https://cdn.jsdelivr.net/gh/imaya/[email protected]/bin/unzip.min.js', // need check unzipFiles() in quicklook.plugins.js when update
 		zlibGunzip : 'https://cdn.jsdelivr.net/gh/imaya/[email protected]/bin/gunzip.min.js',
 		bzip2      : 'https://cdn.jsdelivr.net/gh/nao-pon/[email protected]/bzip2.js',
-		marked     : 'https://cdnjs.cloudflare.com/ajax/libs/marked/2.0.3/marked.min.js',
+		marked     : 'https://cdnjs.cloudflare.com/ajax/libs/marked/4.0.2/marked.min.js',
 		sparkmd5   : 'https://cdnjs.cloudflare.com/ajax/libs/spark-md5/3.0.0/spark-md5.min.js',
 		jssha      : 'https://cdnjs.cloudflare.com/ajax/libs/jsSHA/3.2.0/sha.min.js',
 		amr        : 'https://cdn.jsdelivr.net/gh/yxl/opencore-amr-js@dcf3d2b5f384a1d9ded2a54e4c137a81747b222b/js/amrnb.js',
@@ -11401,6 +11415,15 @@ elFinder.prototype._options = {
 	 * @default ""
 	 */
 	i18nBaseUrl : '',
+
+	/**
+	 * Base URL of worker js files
+	 * baseUrl + "js/worker/" when empty value
+	 * 
+	 * @type String
+	 * @default ""
+	 */
+	 workerBaseUrl : '',
 
 	/**
 	 * Auto load required CSS
@@ -22425,11 +22448,11 @@ $.fn.elfindertree = function(fm, opts) {
 					arrow.data('dfrd', dfrd);
 				})
 				.on('contextmenu', selNavdir, function(e) {
+					e.stopPropagation();
 					var self = $(this);
 
 					// now dirname editing
 					if (self.find('input:text').length) {
-						e.stopPropagation();
 						return;
 					}
 
@@ -25877,7 +25900,7 @@ elFinder.prototype.commands.fullscreen = function() {
 			html.push('<div class="'+prim+'">'+fm.i18n('team')+'</div>');
 
 			html.push(atpl[r](author, 'Dmitry "dio" Levashov &lt;[email protected]&gt;')[r](work, fm.i18n('chiefdev')));
-			html.push(atpl[r](author, 'Naoki Sawada &lt;[email protected]&gt;')[r](work, fm.i18n('developer')));
+			html.push(atpl[r](author, 'Naoki Sawada (nao-pon)&lt;[email protected]&gt;')[r](work, fm.i18n('developer')));
 			html.push(atpl[r](author, 'Troex Nevelin &lt;[email protected]&gt;')[r](work, fm.i18n('maintainer')));
 			html.push(atpl[r](author, 'Alexey Sukhotin &lt;[email protected]&gt;')[r](work, fm.i18n('contributor')));
 
@@ -25894,7 +25917,7 @@ elFinder.prototype.commands.fullscreen = function() {
 
 			html.push(sep);
 			html.push('<div class="'+lic+'">Licence: 3-clauses BSD Licence</div>');
-			html.push('<div class="'+lic+'">Copyright © 2009-2021, Studio 42</div>');
+			html.push('<div class="'+lic+'">Copyright © 2009-2022, Studio 42 / nao-pon</div>');
 			html.push('<div class="'+lic+'">„ …'+fm.i18n('dontforget')+' ”</div>');
 			html.push('</div>');
 		},
@@ -30088,7 +30111,7 @@ elFinder.prototype.commands.quicklook.plugins = [
 				ql.hideinfo();
 				var doc = $('<iframe class="elfinder-quicklook-preview-html"></iframe>').appendTo(preview)[0].contentWindow.document;
 				doc.open();
-				doc.write(marked(data.content));
+				doc.write((marked.parse || marked)(data.content));
 				doc.close();
 				loading.remove();
 			},
@@ -34679,35 +34702,43 @@ elFinder.prototype.commands.rm = function() {
 	this.value = 'rm';
 
 	this.init = function() {
-		// re-assign for extended command
-		self = this;
-		fm = this.fm;
-		// bind function of change
-		self.change(function() {
+		var update = function(origin) {
 			var targets;
 			delete self.extra;
 			self.title = fm.i18n('cmd' + self.value);
 			self.className = self.value;
 			self.button && self.button.children('span.elfinder-button-icon')[self.value === 'trash'? 'addClass' : 'removeClass']('elfinder-button-icon-trash');
-			if (self.value === 'trash') {
-				self.extra = {
-					icon: 'rm',
-					node: $('<span></span>')
-						.attr({title: fm.i18n('cmdrm')})
-						.on('ready', function(e, data) {
-							targets = data.targets;
-						})
-						.on('click touchstart', function(e){
-							if (e.type === 'touchstart' && e.originalEvent.touches.length > 1) {
-								return;
-							}
-							e.stopPropagation();
-							e.preventDefault();
-							fm.getUI().trigger('click'); // to close the context menu immediately
-							fm.exec('rm', targets, {_userAction: true, forceRm : true});
-						})
-				};
+			if (origin && origin !== 'cwd' && (self.state > -1 || origin === 'navbar')) {
+				if (self.value === 'trash') {
+					self.extra = {
+						icon: 'rm',
+						node: $('<span></span>')
+							.attr({title: fm.i18n('cmdrm')})
+							.on('ready', function(e, data) {
+								targets = data.targets;
+							})
+							.on('click touchstart', function(e){
+								if (e.type === 'touchstart' && e.originalEvent.touches.length > 1) {
+									return;
+								}
+								e.stopPropagation();
+								e.preventDefault();
+								fm.getUI().trigger('click'); // to close the context menu immediately
+								fm.exec('rm', targets, {_userAction: true, forceRm : true});
+							})
+					};
+				}
 			}
+		};
+		// re-assign for extended command
+		self = this;
+		fm = this.fm;
+		// bind function of change
+		self.change(function() {
+			update();
+		});
+		fm.bind('contextmenucreate', function(e) {
+			update(e.data.type);
 		});
 	};